The present disclosure relates generally to security testing using semantic modeling and, more particularly, to efficiently testing vulnerabilities in software applications running over a networked environment.
Software applications that are executed in a networked computing environment, particularly Web applications, are subject to an increasing number of security attacks. Such security attacks take advantage of known or discoverable vulnerabilities in an application and infiltrate the underlying system. Injection attacks, such as cross-site scripting (XSS) and SQL injection (SQLi), are examples of security attacks that have become prevalent, leading to the evolution of tools for testing applications defense mechanisms against intrusion. IBM® AppScan Standard and Enterprise Edition or HP® WebInspect are two examples of such testing tools.
Typically, a testing tool operates by simulating a “naïve” attacker, where a list of tests for different types of vulnerabilities is defined. The testing tool then sends these tests to a target application by first exploring the application's interfaces (e.g., by running a standard crawler) and then mutating requests that were used during the crawling phase by embedding the test data (e.g., a payload) within them. For example, the tool may change a benign HTTP parameter in a GET request into a script to test for XSS vulnerabilities. The tool then analyzes the response from the target application or website to determine whether the attack has succeeded.
In an ideal scenario, the testing tool will try all possible tests and stops when an attack succeeds. However, the costs associated with sending certain tests to the application (e.g., HTTP requests with multiple payloads) are very high. Therefore, to retain reasonable performance, commercial testing tools (i.e., scanners) can reasonably attempt only a certain number of payloads per HTTP parameter.